Cybersecurity researchers have discovered a new Golang-based backdoor malware that makes use of Telegram as its command-and-control (C2) mechanism. This malware is believed to have originated from Russia and is currently still under development but fully functional. Upon execution, the malware behaves like a backdoor and first checks if it is running from a specific location, “C:\Windows\Temp\svchost.exe.” If not, it copies itself to that location, creates a new process to run the copied version, and then terminates the original instance.
One distinct feature of this malware is its use of an open-source library for Golang, which allows it to communicate with the Telegram Bot API. Through this connection, the malware can receive commands from a chat channel controlled by the actor. Presently, the malware supports four commands, with only three currently operational. These commands enable the malware to execute PowerShell commands using “/cmd,” ensure its persistence by relaunching under a specified file path with “/persist,” and self-destruct with “/selfdestruct.”
Although the code includes a “/screenshot” command, it has not been implemented. Researchers have observed that sending this command triggers a message claiming a screenshot has been captured, despite no actual screenshot being taken. The choice to use Telegram for command-and-control is strategic, as the platform’s simplicity allows attackers to easily set up and execute attacks. The inclusion of Russian text in one of the commands further supports the notion that this malware may be linked to a larger campaign involving Russian threat actors.
Netskope Threat Labs has drawn attention to the challenges posed by cloud apps for defenders, citing the example of this malware utilizing Telegram as a means to conduct complex attacks. The simplicity of creating Telegram-based C2 channels and the ability to mask malicious activities within legitimate traffic make it challenging for security teams to detect and neutralize such threats effectively.
In conclusion, the emergence of this Golang-based backdoor malware utilizing Telegram highlights the evolving tactics employed by cybercriminals to evade detection and carry out malicious activities. As threat actors continue to exploit accessible platforms like Telegram for their operations, cybersecurity professionals face an ongoing battle to stay ahead of these sophisticated attacks and safeguard digital environments from compromise.